The Red Hat Security Response Team has rated this update as havingimportant security impact. Common Vulnerability Scoring System (CVSS) basescores, which give detailed severity ratings, are available for eachvulnerability from the CVE links in the References section.

These packages provide the OpenJDK 6 Java Runtime Environment and theOpenJDK 6 Software Development Kit. The Java Runtime Environment (JRE)contains the software and tools that users need to run applications writtenusing the Java programming language.

A flaw was found in the way the TLS/SSL (Transport Layer Security/SecureSockets Layer) protocols handle session renegotiation. A man-in-the-middleattacker could use this flaw to prefix arbitrary plain text to a client'ssession (for example, an HTTPS connection to a website). This could forcethe server to process an attacker's request as if authenticated using thevictim's credentials. (CVE-2009-3555)

This update disables renegotiation in the Java Secure Socket Extension(JSSE) component. Unsafe renegotiation can be re-enabled using thesun.security.ssl.allowUnsafeRenegotiation property. Refer to the followingKnowledgebase article for details:http://kbase.redhat.com/faq/docs/DOC-20491

A number of flaws have been fixed in the Java Virtual Machine (JVM) and invarious Java class implementations. These flaws could allow an unsignedapplet or application to bypass intended access restrictions.(CVE-2010-0082, CVE-2010-0084, CVE-2010-0085, CVE-2010-0088, CVE-2010-0094)

An untrusted applet could access clipboard information if a drag operationwas performed over that applet's canvas. This could lead to an informationleak. (CVE-2010-0091)